Password Protected

Password Protected

Although it causes IT support employees to cringe, with reason, people sometimes recall passwords by writing them on Post-It Notes and sticking them to a computer monitor. In the past at Chippewa Valley Technical College (Wis.), that tactic would have begun to obscure the screen.

Before its identity management (IdM) strategies were made more cohesive by bringing together disparate systems on campus, faculty and staff frequently had at least seven passwords to remember. "There just wasn't a uniform system," says Chief Information Administrator Adam Stavn. "We began evaluating some of the products we had in place and integrating those with [Microsoft's] Active Directory." The college implemented "single sign-on" for about half its software and systems, which allows users to log in once to a webpage that acts as a portal to several applications.

"Mainly, it wasn't so much about the technical pieces, since there are many products available and we could always build something if we needed it," Stavn notes. "Instead, the hardest part was getting end users to understand new policies and procedures. It was more than a cultural change; it was a paradigm shift."

With more and more colleges and universities divulging security breaches, network lockdown has become a pressing concern everywhere. In its "2006 Current Issues Survey," EDUCAUSE identified security and identity management as the top IT issue for higher ed institutions. The survey report predicts that the challenge to keep information safe will become even more crucial in an increasingly digital world.

Security controls that route network traffic, create extensive logs, and do high-level intrusion detection are vital, but equally important for IHEs is the ability to verify system users. If someone can easily pose as a student or administrator and surf through sensitive databases, it puts the entire institution at risk and makes online data vulnerable to further breaches.

But meeting institutional needs can sometimes be tricky when it comes to making the user experience an easy one. As Chippewa administrators found, securing multiple systems and requiring numerous levels of authentication can be frustrating for users-and lead to more support costs in the long run.

As institutions work to keep data and networks safe, they're learning to balance user needs, implementation challenges, and funding limits, and finding there's much more to IdM than setting up a password protection scheme.

Management Office

Although IdM is necessary for institution-wide security, the tactic has other benefits for IHEs as well, including compliance with federal mandates like the Health Insurance Portability and Accountability Act, the Family Educational Rights and Privacy Act, and the Gramm-Leach-Bliley Act. Most colleges and universities have already stopped using Social Security numbers to identify individuals, due in part to legislation that mandates the utilization of other identification methods.

In addition to boosting security and privacy, IdM systems can also bring more budgetary and resource efficiencies into an institution-through lowered support costs, better communication among departments, and a more cohesive on-campus system.

But seeing IdM's benefits and putting in a crackerjack system can be two different things. According to the network infrastructure research and advisory firm Burton Group, IdM isn't just technology, but a set of business processes, policies, and supporting architecture for the creation, maintenance, and use of digital identities. In other words, an institution's CIO had better have significant openings in his or her schedule, because the meetings will be ongoing.

Companies might tout the success of their identity management systems, but the corporate world doesn't have a user turnover rate of 25 percent per year.
-Barry Ribbeck, EDUCAUSE Identity Management working group

"In creating a workable system, you're trying to balance the needs of many people and meet goals of collaboration without sacrificing security and privacy," says Dan Nanto, software architect in the Information Technology Services department at Vanderbilt University (Tenn.).

When Nanto came to Vanderbilt in 2005, he found a homegrown account provisioning service that didn't have very strong documentation and was difficult to maintain. In helping to create an industry-standard system that provided more security and used a central provisioning setup, he learned that getting the right technology was the easy part. "The biggest issue in making a major shift like this is the politics," he says. "People working here had built the system, they believed in it, and they were used to using it. It was hard for them to see that doing it any other way would be better."

Vanderbilt rolled out the first phase of a new IdM system from Sun Microsystems in December 2006, and the plan is to redirect management from the older system to the new. Taking the implementation in phases has helped soothe the political wrangles, Nanto says, but he's still not sure that a "big bang" approach wouldn't be better in the long run.

"Doing everything at once would alleviate the support problems of trying to have two different authentication systems," he says. "But we have to make sure that however we do it, everyone is involved in the decision and agreeing that this is the right direction. You can't make a decision as an island; you can't surprise people with big changes."

Beyond getting cross-institutional buy-in, creating a system that can handle the changing roles of those who are in the network can be another significant hurdle. For example, a prospective student-let's call him Joe Campus-might be given a certain level of access within the network in order to "look around" at university resources while making his decision. If Joe becomes a student, another level of access is needed, and then the process gets even trickier if Joe gets an on-campus job, takes a few classes at another school, gets hired as a teacher's assistant, goes on to grad school, and finally graduates, becoming an alumnus.

At each level, Joe will have access to different databases and systems, ranging from library resources to grading systems to alumni records. Now take Joe and multiply him by 10,000 or more. Then add in visiting professors, temporary staff members, volunteers, consultants, and vendors. The ensuing mix can be daunting for the technology staff at the IHE, particularly given the high turnover rate within the system.

"Companies might tout their identity management systems, but at no company will you find a turnover rate of 25 percent per year or more," says Barry Ribbeck, director of systems architecture and infrastructure at Rice University (Texas) and co-chair of the EDUCAUSE Identity Management working group. "Also, companies can assign usernames based on HR paperwork. At colleges and universities, you usually depend on self-assertion, which can become challenging."

In other words, how can an institution know that potential student Joe Campus is really who he claims to be? And, later, if that same person decides to be known as Joseph Campus, multiple records might be created. Often universities develop unique identifiers to make sure that people are tracked in a way other than their names, Ribbeck explains. Social Security numbers can't be used, but IHE-supplied numbers can be, as long as other security and privacy controls are in place to prevent hackers from matching up those identifiers with other information.

Rice is making great strides after years of not addressing IdM concerns, Ribbeck adds. The institution has it easier than some, with its smaller population of faculty, staff, and students. A security officer has been hired to put polices and procedures in place.

One of the largest goals at Rice is to expand user awareness of identity issues, which Ribbeck says can be difficult. "People have grown up in a culture where everything is open and free," he notes. "They like the collaborative aspect of the university network, but they really have to relearn how to protect themselves. We have to teach students, faculty, and staff the basics of identity protection. Otherwise, they're going to get burned."

Fresh Process

When communicating the need for better IdM to those on campus, the education tends to extend to lessons on personal computing devices, notes Harlan Jorgensen, director of computing resources at Northwestern College (Iowa).

"One of the biggest issues we face is students bringing in their own machines and logging on to the network," he says. "It can be difficult, because they need clean access, but we have to make sure that machine isn't a danger to the network." Northwestern has implemented technology from eTelemetry that helps to manage and identify user activity.

"It's not practical to try and manage all the identities that are in the
network, or [all who] want access. Some universities are like small cities, with visiting researchers and all kinds of complexities."
-David Murray, SunGard Higher Education

Jorgensen is currently in the process of writing more policies that address provisioning, account access, and IdM. In the past, he says, college officials felt confident because they had put up a strong intrusion detection system and solid firewalls, but then they gradually came to realize that those who resided within the college could be just as dangerous as those who were locked out. "We found that some students were finding ways around our rules in order to do file sharing," he says. To boost communication about new policies and help inform students in particular about IdM issues and general use of computing resources, Jorgensen and others on the technology staff are working with a student development council.

The group is assisting helping to create policy and to decide when network privileges should be yanked because of abuse. Having students make such decisions for other students helps keep end users in mind when changing technology or implementing new procedures, Jorgensen says. Student involvement can also be a boon for creating new programs around sign-on changes, since students are certainly not shy in voicing their opinions. "Our goal is to have a high level of service for users," he adds. "One way to meet that goal is to find out what that means for users and what they expect."

At many IHEs, user acceptance can be boosted through increased automation, says Dinesh Bahad, senior director for education at Sun Microsystems. Robust provisioning systems that work behind the scenes can cut down on the number of passwords needed and, more importantly, remove users that shouldn't be in the system. "There needs to be a certain level of self-service, where users can go in and identify themselves and their roles and make sure they're not in the system twice," says Bahad. "But there should also be provisioning done at a level invisible to the user."

Systems like those available from Sun and other vendors can help assign access levels and deprovision accounts from departing employees or those who've been granted temporary access. But that automation could result in conflicts from multiple systems joining together. "There is much more complexity in a college or university system than one managed by an enterprise, so automation can be more useful at a school than at a company," says Bahad. "But keep in mind that the complexity might not necessarily be a technology problem. It may be a human problem that arises from employee and student systems mixing together."

Automation shouldn't be implemented for its own sake, Bahad adds, but rather because it solves existing difficulties like overly complex records management and IdM issues.

That kind of switch to a vendor-driven system is in progress at Northwestern University (Ill.), which is implementing Sun technology to replace a homegrown system that it's had in place for the past decade, according to Thomas Board, director of Information Systems Architecture at the university.

"We wanted an easily modifiable system," he says. "Our homegrown technology couldn't be maintained confidently and couldn't be changed fast enough to meet the needs of the institution."

Relying on a vendor will also give Northwestern more of an opportunity to implement industry standards, Board notes, and create a system that is easier to use for those on the network. In the past, the university relied on its Admissions and Human Resources departments to supply user identities for the system, but that tended to create duplication that could be frustrating for users.

"The real payoffs of identity management will come in the form of additional institutional processes that address how departments operate together, how policies are written, and what level of collaboration and openness is expected," says Board.

He adds, "For any institution, this should be the top item for discussion. If you don't have centralized ID management-if you have it distributed across the institution-you need to be taking a hard look at changing that over the next couple years."

Strong Protection

In general, IHEs seem to be rising to the challenges inherent in the IdM process, says David Murray, chief technology officer at administrative software provider SunGard Higher Education.

For those contemplating a fresh start for their IdM system and policies, or those who want to make their procedures stronger, Murray recommends beginning from the point of business priorities, rather than just fretting about potential security breaches and putting systems in place to prevent them. "If you start by looking at technology, you fall into the mode of reacting rather than acting," he says. "It can feel so big that it's overwhelming." He advises that administrators break down IdM into manageable pieces, starting with the development of milestones and objectives.

Working with IT services, a CIO should look at account provisioning, policy development, centralizing authentication, and creating a technology plan that makes sense for the IHE, rather than mimics what's being done elsewhere. Also, Murray notes, schools should understand their limitations as well.

"It's not practical to try and manage all the identities that are in the network, or [all who] want access," he says. "Some universities are like small cities, with visiting researchers and all kinds of complexities. And those cities are tied to others, if a school has a partnership with another university or college."

The breadth of IdM could make some CIOs and IT teams yearn for the days when all they had to do was remind staffers to stop using Post-It Notes for password management. But if they see IdM as a journey rather than a destination, it might help to advance toward steady improvement.

Elizabeth Millard is a freelance writer based in Saint Louis Park, Minn., who specializes in covering technology.